Gold Dragon Implant Linked to Pyeongchang Olympics Attacks

McAfee has discovered an implant that they believe was used as a second-state payload in the recent fileless attacks targeting organizations involved with the upcoming Olympics Games in Pyeongchang, South Korea.

In early January, McAfee's security researchers warned that hackers had already began targeting the Pyeongchang Olympic Games with malware-infected emails. The first such attacks reportedly took place on December 22, with the sender’s address spoofed to appear as if the messages came from the South Korea's National Counter-Terrorism Center.

The hackers were using a PowerShell implant to establish a channel to the attacker’s server and gather basic system-level data, but McAfee couldn’t immediately determine what the attackers did after gaining initial access to a victim’s system.

McAfee has since published a report detailing additional implants used in the attacks, which were used to gain persistence on targeted systems and for continued data exfiltration, including Gold Dragon, Brave Prince, Ghost419, and RunningRat.

Gold Dragon, a Korean-language implant observed on December 24, 2017, is believed to be the second-stage payload in the Olympics attack, with a much more robust persistence mechanism than the initial PowerShell implant.

Designed as a data-gathering implant, Gold Dragon has the domain golddragon.com hardcoded and acts as a reconnaissance tool and downloader for subsequent payloads. It also generates a key to encrypt data gathered from the system, which is then sent to the server ink.inkboom.co.kr.

Gold Dragon is not a full-fledged spyware, as it only has limited reconnaissance and data-gathering functionality. The malware, which had its first variant in the wild in South Korea in July 2017, features elements, code, and behavior similar to Ghost419 and Brave Prince, implants that McAfee has been tracking since May 2017.

The malware lists the directories in the user’s Desktop folder, in the user’s recently accessed files, and in the system’s %programfiles% folder, and gathers this information along with system details, the ixe000.bin file from the current user’s UserProfiles, and registry key and value information for the current user’s Run key, encrypts the data, and sends it to the remote server.

The malware can check the system for processes related to antivirus products and cleaner applications, which it can then terminate to evade detection. Furthermore, it supports the download and execution of additional components retrieved from the command and control (C&C) server.

Also a Korean-language implant featuring similarities to Gold Dragon, Brave Prince too was designed for system profiling, capable of gathering information on directories and files, network configuration, address resolution protocol cache, and systemconfig. The malware was first seen in December 13, 2017. It is also capable of terminating a process associated with a tool that can block malicious code.

First observed in the wild in December 18, 2017, Ghost419 is a Korean-language implant that can be traced to July 29, 2017, to a sample that only shares 46% of the code used in the December samples. This malware appears based on Gold Dragon and Brave Prince, featuring shared elements and code, especially related to system reconnaissance.

The attackers also used a remote access Trojan (RAT) in the Pyeongchang Olympics attacks, the security researchers say. Dubbed RunningRat, this tool operates with two DLLs, the first of which kills any antimalware solution on the system and unpacks and executes the main RAT DLL, in addition to gaining persistence.

The second DLL, which employs anti-debugging techniques, is decompressed in memory, which results in a fileless attack, as it never touches the user’s file system. The malware gathers information about the operating system, along with driver and processor information, and starts capturing user keystrokes and sending them to the C&C server.

“From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed,” McAfee reveals.

All of these implants can establish a permanent presence on the victim’s system, but they require a first-stage malware that provides the attacker with an initial foothold on the victim’s system. Some of the implants would only achieve persistence if Hangul Word (the South Korean-specific alternative to Microsoft Office) is running on the system.

“With the discovery of these implants, we now have a better understanding of the scope of this operation. Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics,” McAffee concludes.